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(54) Secure printing 



(57) In a distributed computing environment, a user 
is able to send a document to a secure printer 140 in 
such a way that only the intended recipient can print the 
document. When the user specifies that the document 
is to be printed securely, a special print job is created in 
which the document is encrypted under the recipient's 
public key. Then, when a print server 130 receives the 
print job, it is incapable of printing it, as it is encrypted, 
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and the job is held. When the recipient's smart card 145 
is inserted into a smart card reader of the secure printer 
140, the recipient's identity from the smart card is used 
to search for and retrieve documents from the print 
server 130 for the recipient, and private key information 
on the smart card 1 45 is used to enable decryption and 
printing of the document by the printer. 
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Description 



Technical Field 



[0001 ] The present invention relates to hardcopy pro- & 
duction of documents and particularly, but not exclu- 
sively, to document printing. 



Batekground Art - 

[0002] It is well known to generate' or design a docu- 
ment using a computer-based text editing- or graphics 
package, for example Microsoft Word or Microsoft Excel 
respectively. Once generated, a document is typically 
formatted by the package into a data file that ! comprises, 
for example, PCLor PostScript data, . which is interpret- 
able by a hardcopy device^such as a printer. The docu- 
ment data file'can be sent directly by the package to a 
printer to be printed, or can be stored for printing at a 
later time/ : - *' .' 

[0003] This principle typically applies to all types of 
printer, for- example laser printers, ink jet printers, 
" impact printers and thermal printers, and in general to 
other Hardcopy devices such as plotters or facsimile 
machines. 1 * - " ■ * - - ' 

[0004] ; For the sake of convenience of description 
herein, ihe term "document" will hereafter be used as a 
' convenient term to' denote- a document in any -state, 
' including when- viewed on ai computer display, wvhen for- 
matted' as a hardcopy apparatus-readable data file 
ready for rendering, and when in hardcopy form. The 
state the document at any point in the>description 
depends on the context: Also; the term "document" will 
be used to describe a textual, graphical, or mixed repre- 
y sentaftbns. ' 0 ' ' • ,J - ' !> v ' 1 
' [0005P The advent of distributed computer systems 
; has made it possible for a single "network* printer to be 
; used' by multiple usefe Typically, network printers are 
attached to computing platforms operating as print serv- 
ers within distribLrted'systems. AlternativelyrsbMe print- 
ers, given appropriate interfaces, can be arranged to 
connect directly'tathe network of a distributed'system. 
' [0006] " Network printers, whether connected directly, 
- or via a print server, to a network. can provide a sub- 
stantial cost advantage, since each user need -not have 
his own printer connected to, drlocated near to, his own 
computer system. 

[0007] The ability to access network printers, and 
other devices, from a local computer, is readily sup- 
ported by operating- systems-such as Unix,C'or". Micro- 
soft's Windows NT; which are designed to be configured 
to manage distributed operations such as remote print- 
ing or data management. 

[0008] One' problem- with" printing documents on 
remote network printers is that any person near to the 
printer could remove or read printed documents con- 
taining sensitive information, which do not belong to 
them, before the correct recipients are able to retrieve 
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.the documents. One way around this is for users who 
need to print sensitive documents to arrange for a 
^trusted person .to stand by the printer while.the docu- 
.ment is printing and cpilect the document as soon as it 
. has printed. This is, of course, inconvenient. 
- [0009] • Another way. to increase security is to print sen- 
fc sitive documents-only on a local printer. The latter .case, 
however, undermines any cost advantages gained in 
having a centrally located, network printer, especially if 
many users need to print sensitive documents, 
[001 0]* Another problem associated with remote print- 
ing of sensitive^ documents is that a malicious party 
could intercept or monitor the transfer, of data between 
the local computer and network printer. -For. example, 
anyone with access - to a print spooler or . print server 
receiving the document for printing could access the 
document. This would be highly undesirable and, again, 
..could, .be. overcome by using a local printer. attached 
directly io the originating computer instead. . ^ 

Disclosure of the Invention 

[0011] Aspects, of the present , invention aim to 
increase the security of remote printing. 
, [0012] : In accordance with. a first aspect, the present 
invention provides hardcopy apparatus comprising 
interface means for receiving from a document store an 
encrypted document, processing means configured for 
•decrypting the encrypted document and- rendering 
means for producing a hard copy of a decrypted docu- 
ment. . , 

[001 3]... This aspect of the invention provides a secure 
, mechanism in which a document can be encrypted prior 
to it being sent for rendering by the hardcopy apparatus. 
The hardcopy apparatus, such as a printer, is config- 
: ured.to receive and decrypt encrypted documents prior 
to producing ^ hard copy of the document. 
[0014] Thus, even if a document were intercepted dur- 
: ing transfer between a computer and network, printer, 
say, it would be a non-trivial task for the intercepting 
; party to decrypt the document. , 
[0015] In a preferred embodiment of the invention, the 
-hardcopy apparatus further, comprises input/output 
means for communicating with a removable processing 
.means... * v • v- 
[001 6] r Preferably, .the input/output means is a smart. 
- card .reader, and the removable processing.means is a 
smart card received by the smart card reader. 
. [0017] - The processing means may then be configured 
for receiving information from the $mart c^rd reader, 
when a smart card is received thereby, and using the 
information to. retrieve and decrypt an encrypted docu- 
ment. .It would be possible to supply the information 
; using, for example, a keypad, or even a swipe card 
. reader, but a smart card is perceived by the applicants 
to be far more convenient. 
,..[0018] In a preferred embodiment, the processing 
•means is configured for receiving from the smart card 



3 'EPOS 

an identity, sending a first message "via the interface 
means to the document source, the message including 

■at least ? ah indication of the identity, and receiving, from 
the - ddcurhent" source' via the interface " means, in 
response to the first message, a return message includ- 
ing at least an encrypted session key-.for.an encrypted 

'document stored by the document source,and having a 

"matching identity. ■'*■ ^ ' ' • 

[0019] thus, the identity on the smart card is passed 
to the document source in order for the document 
source to search for and return an encrypted session 
key for any documents that have a matching identity. At 
this stage, the document source may also return the 
encrypted document;- However, this would depend on 
the amount of 'storage available to the hardcopy device 
for temporarily storing documents. " 
[0020] The hardcopy apparatus is< then, preferably, 
configured for sending the encrypted sessidn key to the 
smart card reader; for the smart card to extract the ses- 
sion key, and receiving back the session key. The 
processing means may then be configured for using the 
session key to decrypt the encrypted document. 
[0021] This approach has the advantage that the pri- 
vate key used to decrypt the session key need not leave 
the smart card. The implication of this is that the overall 
mechanism relies on a secret that' never becomes 
known to the printer or any other part of the distributed 
system. ■ • ' : ' ■< 

[0022] ' Typically, the document store takes the form of 
a special print server which is configured to" receive 
encrypted documents for printing and storing the docu- 
ments until a request message for a document is 
received from, for example, hardcopy apparatus config- 
ured according to the present invention. The form of the 
document store will be described in more detail* below. 
[0023] in this- way the actual hardcopy production can 
be initiated by a user -inserting a smart 'cardi into the 
hardcopy apparatus's 'Smart card reader at any time 
alter the encrypted document has b^en submitted to the 
document store: 1 ! " ' ,! 
[0024] This has the advantage that once a.document 
has been submitted for rendering, it is held by'the docu- 

; meht store until a remote party inserts a smart card into 
a remote hardcopy v apparatus: Accordingly,.* the hard- 
copy of the document is only produced when It is con- 
venient for the' riecipieht, who ; may 'or may r tfot'be the 
same person as the sender, to retrieve' the document in 
person. ' ' " " ■ ' :>*:■'•■ '■-:•* . .-. • 7.,?^ 
[0025] Preferably; the information^ receivfedtfrom the 
smart card includes an identity, for example the. identity 
of the owner of the smart card/and the hardcopy appa- 
ratus is configured 1 to send a message including the 
identity to the document store. In response; the docu- 
ment store can determine whether it has a stored docu- 
ment with a matching identity, ^and forward the 
document to the hardcopy apparatus. Typically,* in this 
case, documents will be submitted with; associated 
identity information to the document store forrendering. 
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[0026] In the preferred embodiment to be described, 
a user is able to send a document to a secure printer in 
such a way that only the intended recipient can print the 
document. When the user specifies that the document 
5 is to be printed : securely, a special print job is created in 
which the document is encrypted under the recipient's 
public key Then, when the document store receives the 
print job, it is incapable of printing it, as it is encrypted, 
and the job is held. When the recipients smart card is 
10 inserted into the secure printer, the recipient's identity 
. frpm^he smart card is used to. search for and retrieve 
documents for the recipient, and-private key information 
. on- the smart card- is used to enable decryption and 
, printing of the document by, the printer. 
15 [0027] . In accordance with a second aspect, the 
. present invention provides a method of controlling hard- 
o c * copy apparatus to render an encrypted document, com- 
prising thestpps of retrieving from a document source 
. ; unencrypted document,, decrypting the encrypted doc - 
20 ument, and rendering the document to produce a hard- 
- copy thereof/;. 

.[0028] In accordance with a third aspect, the present 
invention provides a computer system, arranged for 
. ; secure rendering of documents, the system comprising 
25 secure printing means for encrypting a document for an 
y intended recipient and forwarding to a document store 
- means the encrypted document with identity informa- 
. . tiqrvof the intended recipient, document store means for 
i receiving encrypted documents .anpl:restpectiye identity 
30 information and storing said encrypted documents and 
respeptiveinformation, and for receiving requests from 
hardcopy apparatus fqr documents having : a : specific 
identity 1 and ..sending respective documents., to the 
s ■ .= respective requesting hardcopy apparatus, and hard- 
35 copy apparatus arranged for requesting of the docu- 
T-ment ; store means transfer of encrypted -documents 
; . having a, specific id entity* decrypting received docu- 
mehts and rendering, inhardcopyjorm.decrypted docu- 
'. ments. ' ■ f ■: \ . / : - . * v . 

y40t.j {0029] In accordance with afourth aspect, the present 
,:;ijnventio.n provides a document server, comprising doc- 
. v.. ument, processing., means arranged, for receiving 
': , encrypted, documents, -storing , enpr?ypted (documents, 
: receiving requests for specific documents, . searching 
45 <tfte> stored, documents fpr the specific documents, and 
v : . returning. found documents to the requesting party. 

..^rief Qesqription^Mhe .Drawings; 

•;5a*/l[0030] [: =.. An embodiment ofr.the present invention will 
■y how be described v by way. of example only,, with refer- 
- : : <ence-:tO;the accompanying drawing, pf which: 

: .i^' '-.v Figure Vis adiagram.which illustrates a distributed 
55 v - computing environment which supports secure 
printing* -in accordance with an embodiment of the 
present invention; 

Figure 2 is a block diagram of an architecture for a 
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printer according to tha present embodiment; 

Figure 3 is a flow diagram which illustrates the 

steps involved in a user submitting a document for 
• secure-printing;- r and ; * - 

Figure 4 is a flow diagram that illustrates the steps 
' involved in-a secure printer retrieving and.printing a 
: print job. '• - ■ • ' ' 

Best'Mode For Carrying Out the lnvention,.& Industrial 
! Applicabiiity - . • > . * 

[0031] The following description refers 'specifically to 
a printer as the hardcopy device. However, it is empha- 
sised 'that the same principles apply to other hardcopy 
apparatus such as facsimile machines.. * . 
[0032] In Figure 1 , a local computer 100C for example 
an Intel Pentium based computer operating under Win- 
dows NT 4.0, includes the standard components of a 
keyboard; a display -and a mouse (none of which are 
shown). The local computer 100 is attached to a net- 
work 110, for example a network supporting the TCP/IP 
protocol.' The local computer 100 provides a secure 
printer process, which is a software routine that can be 
initiated by auser when secure printing is required. The 
process, and all other processes in this embodiment, 
can be-written in any general purpose programming lan- 
guage, such' as Visual C++. »' J ' - - ■ 
[0033] Also connected to the network 1 1 0 are a direc- 
tory server 120, a document store 130; a secure printer 
140 and billing engine 150. *j - 
• [0034] The directory server 120 is a process running 
orva computer; which has access to a database 125 of 
user-specific information, known, as user-profiles: The 
directory : server 1 20 is arranged - to receive, from 
requesting processes 'requests for ispecific/ information 
for particular users, and returns the specific information 
to the requesting process, whenever possible:- The com- 
puter running : the directory server. 120 could be a Unix 
or Windows NT platform connected to the network 100 
via an appropriate interface. Thedirectory server 120 in 
the present embodiment is a simple database, which 
receives enquiries arid returns relevant data* but it could 
' be based on purpose built directory services such as 

- Novell's NDS or Microsoft's Active Directory. . In- accord- 
ance with the present embodiment, the directory server 
120 is configured to; receive a request including a user 
identity and return aH east '^public encryption key;asso- 
ciated with the identified user. Communications with the 

- directory server ; 120 - may be with a network "protocol 
such as the" Lightweight- Directory. Access.- Protocol 
(LDAP). : - . i -v= ;: ^ 
'[0035] The document store 1 30 is processtfunning on 
a computer which" rebeives and stores encrypted docu- 
ment files and associated use? identities;. The document 
store 130 also receives requests to forward to specified 
locations encrypted document files having a* specified 
identity. Again, the computer running the directory 

' server 120 could be a Unix or Windows NT platform 



^connected to the network 100 via an appropriate inter- 
face. - - , , - .i - 
s>'i [0036] In practice, the.doqument store 130 can be a 
."V modified print spooler or prjnf sery^process,. which has 
s access to a large amount of data, storage, for example 
y provided by a disk drive .135. The spooler or server is 
' modified in the respect that it is pranged to recognise 
.... encrypted documents and, rather than forwarding them 
- to a specific printer, hold or store the encrypted docu- 
w • ments. The spooler or server is also modified to receive 
requests .from: .printers for specific encrypted docu- 
. ments, search for the specified encrypted documents 

- and transfer the encrypted documents to the requesting 
printer. , , - 

15 [0037] Jtshould be noted that the document store 130 
in ; the present embodiment is an entrusted part of the 
. <+ distributed- system, in that the document store 130 is 
configured to return documents to any requesting 
printer,, or, other, device using an appropriate protocol. 
20 The present embodiment relies on the security t of the 
strong encryption applied to the document to protect the 
information in the document. 

[QQ3&] Jn other embodiments, where security is even 
more important, it is envisaged that the document store 
25* 1 30 would- further incorporate authentication f unctional- 
ity, which would allow the document store to authenti- 
cate either the requesting printer or smart card user. 

- Authentication systems using, for example, digital sig- 
r: -..natures, are well known and will not be ^considered 
30 . herein jn any more detail. , 

■ y ? [0039] The architecture, of the printer .140 according to 
v. the present embodiment, is illustrated fin t more detail in 
Figure 2 : Figure 2 illustrates a central processing unit 
(GPU) : 200 that controls a print engine 210, which is a 
35 . standard part of any printer that enacts printing, and the 
-,V»» details thereof. are beyond Xhe scope of the present 
description: A read only memory - (ROM) 220 is con - 
■: nected to the CPU 200 by an appropriate system bus 
t 205. The ROM 220. contains the instructions that form 
»40 .the control program for the printer. Also connected to 
■ the system bus 205 is non-volatile memory (NV-RAM) 
. , 230 and main memory (DRAM) 240. Jha NV-RAM 230 
can be E2PROM or Flash RAM for receiving and storing 
servicesdownloaded into the printer.. The DRAM 240, is 
45 :.used by the ; printer as buffer memory, for receiving jobs 
, ' to be printed; and is also, used by the, CPU. 200 in the 
; present embodiment as workspace for decryption and 
: / session, key storage. All the features of, the printer 140 
.described so far are standard on many generally avaiia- 
-.so : b!e printers. The diagram also illustrates the standard 
. - printer features of a network interface 250, various sen- 
sors 260, for example 'paper out', and a front panel dis- 
play and keypad 270, all connected to the CPU via the 
. system.bus 205. Finally, a smart card reader 280 is pro- 
,;;55- ...yided, also connected to the system.bus 205,. although 
. . it. could alternatively be connected via the printer's 
P.S232 port, : where one is available. Thus, the only sig- 
nificant, non-standard hardware feature of the printer is 
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the smart card reader 280. The other differences 
depend on software or firmware processing. 
[0040] Smart card readers are generally available; and 
coriform to accepted standards. The smart card reader 
used in the present 1 embodiment supports the ISO 7816 
standard (ievefs'1 to 4), and some" extra functionality not 
covered by the ISO standard, which is described herein. 
Corresponding smart cards are also readily available, 
arid are programmable to operate as described herein. 
[0041] In practice, the smart card reader can be incor- 
porated into the casing of a standard printer. Thus, in 
: this case, the only significant, noticeable difference 
about the printer is a slot 143 in the casing info which a 
smart card 145 can be inserted and retrieved: 
[0042] Printers which generally have the features illus- 
trated in Figure 2 are a Hewlett-Packard LaserJet 5 or a 
Hewlett-Packard 1 LaserJet 4000. In" eitHer ' print er; the 
•printer's conventional control program cari be' modified 
■as described herein, by either replacing the printer's 
firmware, in ROM 220, or by creating a 'service': which 
can be downloaded into the printer's flash memory, NV- 
RAM 230. from the network. • 
[0043] Details on how to modify control programs in 
Hewlett-Packard and others' printers are beyond the 
scope of the present description, but are readily availa- 
ble from Hewlett-Packard Company or from the respec- 
tive other printer manufacturers. *"'■ 
[0044] The billing system 1 50 is a process running on 
a computer which electronically bills users of the secure 
printing system. There are three main areas^ where 
users could be 'billed, which are for: submission of an 
' encrypted document to the document store 130V stor- 
age by the document store 130 of a document for a 
specif ied time; and transmission and successful printing 
' of the document: Other acts, such ks using the directory 
server 120, could potentially also be bitted. The'sender 
or the recipient, or both, could be billed for'ahyor each 
of these acts. For example/the sender could be billed 
for the submission, and the recipient could be billed for 
the storage and printing of the document. Of course, the 
sender and the recipient might be the same person, or 
different peoplefrom' the same organisation, in' which 
baseasihgle person or orgainisation respectively would 
be billed for everything; Further, the -owner of the docu- 
ment store arid 'the owner of the printer rhight be differ- 
ent independent service } providers! For example/ in the 
case where the printer'is ih : a pubiicpfa'cie, ahdns'for use 
by the public, then the printer's owner would w&nf finan- 
cial reward for providing the service. Therefore; it would 
be necessary for a printer to identify -itself in enough 
detail that the billing system 150 could allocate billed 
. funds to theprinter's owner. ' 
' [0045] ' For every act, it is necessary to-identify the 
party to be billed and the party to be paid.'- Electronic 
identification " and authentication for the purposes- of 
electronic billing are well known in the field of electronic 
commerce,' and will not therefore be discussed in any 
more detail herein. ■ * 



[0046] The operation of the local computer 1 00 in sub- 
mitting a secure. print job will now be described with ref- 
erence to the flow diagram in Figure 3. 
[0047] In step 300 of Figure 3, the local computer's 

s operator (not. shown), in other words the document's 
sender, has a document, for- example a word-processed 
document, to be submitted for printing. The sender initi- 
ates the secure printing process for the secure printing 

< : ,: of the document in step 305. The secure printing proc- 

10 ess, in step 310, generates a graphical user interface, 
which requires the sender to enter the document details 
and-the identity of the intended recipient. Of course, the 
intended recipient might be the sender himself. The 
sender enters the required details in step 315,. Having 

is received a valid input from the sender, the process, in 
step 320, continues by transmitting a request including 
< ' the details input by the sender to the directory server 

■'■ v 120: In response,. the directory server 120 returns to the 

• secure printing process the public key for the intended 
20 • recipient,. in step 325. 

[0048] Next, in step 330, the secure printer process 
formats^the document into a page description language, 
such as- PostScript or PCL, which is interpretable. by a 
printer. Obviously, the language. will depend on the type 
25 of printer or other hardcopy apparatus to be used. The 
• ►secure printer,, process then, in step 335, applies bulk 
encryption to the formatted document while retaining its 
: .integrity. This can :be achieved using a -message digest 

- v function such as the Secure Hash Algorithm (SH A- 1) 
30 and a symmetric block or stream cipher, for instance, 

Data Encryption Standard (DES). The cipher uses a 
. random number generated by the secure printer proc- 
: ess to enact the eneryptionr.The random number.consti- 
: - tutes a:session ; Key. This step is a symmetric encryption 
step,; which relies on a. recipient having access to the 
; : -session key to decrypt the document, 
-rv * [0049] Alternative message digest algorithms, such as 
; ;r MD5,< symmetric ciphers such; as CAST or IDEA, and 
uc- r asymmetric algorithms such as the Elliptic Curye EIGa- 
r-4o):\ mai encryption scheme can be used instead of the algo- 
t ? r. i vrithms specified earlier. ; - . ; , , ; - ? 
r - [0050] ; In step 340, the secure printer process then 

- applies, an asymmetric encryption ;algorithrp, such as 
RSA, to the session key, using the intended recipient's 

45- retrieved public key. Thus, alter this step, only someone 
-.^.v.- who has^knowledge of the private key. associated with 

c.ff\; the^public, key- can .decrypt- the session key and hence 
;-:-r. : r^then decrypt the document; 

;oo^[0051]/7^ln step .345, the secure -printing process for- 
'Csdv.i: wards across the network 1.10;; to the document store 
130, a message comprising the encrypted document, 
'..^ yr.an .-'envelope' .for. the. document (which contains the 

* . encrypted session key), and the respective identity of 

theiintended, recipient, .^r ■ .... 
. 55 . [0052] Finally, in step 350. the document store 130 
. receives the message and stores it appropriately to 
hard disk 135. 

» [0053] The process of securely printing a document 
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retrieved from th4 (document r siore 130 will -now be 
described with reference to the flow diagram in Figure 4. 
[0054] In step 400 of Figure 4,the intended recipient 
of the document, which has been stored by the docu- 
ment store -130 as described already, inserts his smart 
card into the smart card* reader 280 of the secure printer 
140. The smart card includes the recipient's identity and 
the recipient's private key/Although not illustrated in the 
flow diagram, it would be typical at this stage for the 
printer 140 to request entry by the recipient of a per- 
sonal identification number, to verify that the recipient is 
: the genuine owner of the smart card, and not someone 
who has found, or even stolen, it. < - 

[0055] The smart card reader 280 reads the smart 
card, in step 405, and extracts the identity therefrom. 
Then, in step 410, the smart card reader 280 forwards 
the identity to' the printer's CPU 200: The CPU 200 
receives the identity in step 415 and generates a mes- 
sage including the identity, in step 420, which it forwards 
to the document store 130 in step 425. 
[0056] In step'430, the document store 130 receives 
the message and, in step 435, searches the hard disk 
135 for any documents having the same identity. In the 
present embodiment, the document store 130 will find 
one document. However, in general, there may be none, 
or any number 6f documents having a matching identity 
stored oh the hard disk 1 35? At this staige, the document 
store 1 30 and printer 1 40 may be arranged to interact to 
provide status information to'the recipient,- displayed on 
a front panel display 270 of the printer, for example 
showing the number of documents awaiting printing, or 
that there are ho documents waiting. 4 
[0057] Next,' in 'step 440, the document Store 130 
returns to the printer 140 only the envelope for the doc- 
ument having thfc matching [-identity^- In principle, the 
document could be sent at this stage as well;' although 
whether or not this is done depends on the size of the 
document and the amount of available- printerbuffer 
memory* It is believed preferable at presented retrieve 
only the envelope, unless the printeM40'has a signifi- 
cant ahnount of RAM '240 1 into which 'the whole docu- 
ment could be received!- " ■ : 
[0058] ' In i step 445, the printer receives the envelope 
and, in step 456, forwards the encrypted session key to 
the smart card reader 280. The smart card'reader 280 
transfers the encrypted session key to the smart card, 
and the smart card, in turn . decrypts the session'key, in 
step 455," ; using the private key stored therein. The 
smart card outputs '"the decrypted session' key, in step 
460, and the ' smart card reader 280 forwards the ses- 
sion key to the CPU. 200, in step 465. 
* [0059] This. technique for retrieving the session key is 
extremely advantageous, 'since the private "key never 
needs to leave the smart card, and thus remains secret. 
[0060] The printer 1 40 forwards a message to the doc- 
ument store 130, in step 470, for the document store to 
transmit the encrypted document to the printer 140. In 
step 475, the document store 130 receives the mes- 



sage, and, in step 480, transmits the document to the 
•.^.printer 140. In step 485, the printer 140 receives the 
document and, in step 490, deciphers it back into page 
■^description language using the session key. 
5-*" [0061] --Finally, in step 495, the printer prints the docu- 
. mehtfor»the intended recipient.;. - ■ 

[0062] It will be appreciated, that the network 110 
could be a local area network, a wide area network or 
. even global area network. For example, for the case of 
10 a global area network, the local computer 100-pould be 
situated in an office in London and the printer could be 
located in.an airport in Tokyo or New York. Similarly, the 
\ directory server 120 and the document store 130 could 
be located anywhere in the world, v 
15 [0063] In some embodiments, for responsiveness pur- 
• poses, it may be desirable to have mirror document 
stores (not .shown) similar to Internet mirror sites - 
*. - where the data in one store is copied by the store to 
other, geographically distant document stores. Thus, for 
20 example, there may bea London-based data server, 
and Tokyo and New York-based data servers. On 
receiving a document, the London data server would 
. . copy the document to both the Tokyo and New York data 
servers so that the recipient could retrieve and print the 
25 document from the data server nearest the printer being 
used. Obviously, the data mirroring could be tuned if it is 
known where the recipient is most likely to be when he 
wishes to print the document. For example, if the recipi- 
ent were likely to be in New York, but might instead be in 
30 London, then.a document submitted in London would 
only be mirrored to the New York-based data server. 
■:Such recipient location information could form part of 
/ the user profile information stored by. the directory 
rrserver fl 20. Thus, the location information under these 
35. , ^circumstances would also be returned to the local com- 
vputer 100 with the public key. information, ; and this infor- 
mation would also be forwarded to the document store 
130. 

" [0064] It is envisaged that the directory server 120 will 
40 hold other user profile information. For example, a recip- 
ient may only ever wish to receive documents from one 
specified printer. In this case, the information returned 
by; the directory server- 120 would reflect this and the 
v, documenL.store 130 would' then only release the 
45 ' encrypted document to.the specified, printer. Other infor- 
mation held by the directory server 120 for particular 
; 1 " : users; might include printer information, which deter- 
* r mines how the document is formatted by the local com- 
.puter; 100, for example, whether, to .format the document 
so : 'into PostScript or PCL. In general, it is expected that the 
■ -i . user can. access the directory server 120, for example 
via the Internet, and modify his user profile whenever 
required. 

• - [0065] Mi will also be appreciated that the components 
55 and processes described above need not reside on dif- 
ferent computers. For example, the local computer 100 
could support the directory server and. document store 
processes, as well as a secure printerprocess. 



6 



11 



•EPt> 935182 A1 



12 



[0066] Furthermore, there is no'reason why any or all 
of the processes described herein could not be located 
and* called from any of a number of different computer 
systems conhected'to the distributed environment.- Hav- 
ing said this; it is important, although not essential, that 
documents that require secure printing do- not pass 
r across any publicly. accessible or low security communi- 
cations channels, without being in an encrypted state. 

Claims 

; * 1. Hardcopy apparatus/ arranged * for receiving, 
" : decrypting and' rendering documents, the hardcopy 
apparatus comprising: ' ' 

interface means for receiving from a document 
source an encrypted document; 
processing means configured, for decrypting 
the encrypted document; and > ; * 
1 rendering means for producing a hard copy of 
the decrypted document. ':->■*" 

2. : Hardcopy apparatus according to claim : 1 further 

comprising input/output means for communicating 
with a removable processing 1 meansi 

3. " Hardcopy apparatus according to claim 3; wherein 

the input/output means is a smart card reader and 
the removable processing means is a smart- card 
: received by the smart card reader. « - 

"4. Hardcopy apparatus according to claim 4, wherein 
the processing means is configured for receiving 
information from- the smart card reader, when a 
smart card is received thereby, and using the infor- 
mation to retrieve^and decrypt an encrypted docu - 
■/ ' men! { "" : >".:■ iv-'- 

5. Hardcopy apparatus accbrding claim 4, wherein the 
■ processing means' is configured for: ^: : 

receiving from the smart card an ^identity and 
■ ' : ' r ■" : 'sending a' v first message -via the interface 
means to' the* dbcument source, the message 
including at least ah : indication of the identity; 
and r - - -*-'! V- ; ■ • 

receiving from the' document 'source? via the 
• interface means; in response to the first mes- 
sage,- a return message jncludihg r atvleast an 
encrypted session key for an encrypted docu- 
' r mentstored by the document source and hav- 
" ing a matching identity. 

6. ' Hardcopy apparatus according td'daimrS/wherein 
the processing-means is configured for sending the 
encrypted session key to the smart card reader, for 
the smart card to extract the session, key, and 
receiving back the session key. 



7. Hardcopy apparatus according to claim 6, wherein 
the processing means is configured for using the 
session key. to decrypt the encrypted document. 

5 8. Hardcopy apparatus according to any one of the 
preceding claims, comprising a printer. 

,v9. Hardcopy apparatus according to any. one of claims 
■: i 1 to 7, comprising a facsimile.machine. , 

10.i A? method , of controlling hardcopy apparatus to 
render an encrypted document, comprising the 
steps of: • 

is retrieving from a document siource an 

.. / encrypted document; 
■.; . decrypting the encrypted document; and 

rendering the document to produce a hardcopy 
thereof: - : ■ ■ • - 

20 • - ' y : • 

1 1 . A method according to claim 1 0,,further comprising 
the. step of providing the hardcopy apparatus with 
identity information, to determine which document 
, : the hardcopy apparatus retrieves. . 

* 12. A method according to claim 10 or claim 1 1 , further 
, . comprising the step ; of .providing the , hardcopy 
r, . ^ apparatus with decryption information to enable the 
/hardcopy .apparatus to decrypt the, retrieved docu- 
30.., ment. - ■ ■ r , 

'.'„'. * • "> . ■* f ' -. 'i 

13. A method according to .claim 11 or claim 12, 
. : ... wherein the identityjnformation is stored on a- smart 
: card, and jsjransf erred to the hardcopy apparatus 
35 ;, by means, of .a -smart cajd reader associated with 
. v :n the hardcopy apparatus. ; { 

; v 14. A method according to any one of r claims 10,to 13, 
: <■ further -comprising <the step, of retrieving from the 
.;documentsource an envelope associated with the 
- encrypted document.^thei envelope comprising a 
session key encrypted, using a public key encryp- 
. ,-. tion.algorithm„.decrypting the. session key using a 
r, corresponding private,key, : and decrypting. the doc- 
45. : ■ .; ; ument:using the session key.- . ~ r: 

r ; ... .15. . A method according to claim 13, wherein the step of 
: • : ^ decrypting the,. session key is enacted by a smart 
•:.y : .: n ,\card ; - which ^received by a ; smart card reader 
■so- b -: ^ssopiatec! with, the hardcopy apparatus. 

. , : ,16o ; A computer; system arranged for secure rendering 
t -. of .documents,, the.system comprising: 

55; j . ; 1, secure printing means for encrypting a docu- 
. v merit : for an intended recipient and forwarding 
to a document store.means .the encrypted doc- 
ument with identity information of the intended 
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recipient; 

document store means for receiving encrypted 
documents and respective identity information 
and storing said encrypted documents and 
respective ..information, • and for receiving 5 
requests fro.m hardcopy ^apparatus for docu- 
ments having a specific identity and sending 
; respective ? documents to the respective 
) requesting hardcopy apparatus; and 
hardcopy apparatus arranged, for requesting of 10 
_ the document store meexis transfer of 
• encrypted documents having a specific identity, 
decrypting received documents and rendering 
" in hardcopy form decrypted documents. 

' . ' 15 

1 7. A computer system as claimed in claim 16, wherein 
the secure printing means is arranged for enacting 
public key encryption and the hardcopy apparatus 
is arranged for providing corresponding private key 
decryption. 20 

18. A computer system as claimed in claim 16 or claim 
17, wherein the hardcopy apparatus is arranged for 
sending data that is encrypted with a public key to a 
removable processing means for decryption 25 
thereby using a corresponding private key. 

1 9. A computer system as claimed in claim 18, wherein 
the hardcopy apparatus comprises a smart card 
reader and the removable processing source is a 30 
smairt card. 

20. A document server, comprising document process- 
ing means arranged for: 

receiving encrypted documents; 
-storing encrypted documents; \ 
receiving requests for specific documents; 
searching the stored documents;for the specific 
documents; and 

returning found documents to'the requesting 
party. 
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